Jun 2, 2025

Making the Most of an Offensive Security Exercise

A whitepaper discussing ways to maximize offensive security exercises of a variety of types

GeneralExternal

Red Team

Jun 1, 2025

This whitepaper was authored for CrowdStrike. You can find it here (no email required).

While the whitepaper can be found on CrowdStrike’s page, I want to add a few notes here. Even though there are elements of the whitepaper that deal expressly with CrowdStrike service offerings and by extension there are marketing elements associated with the information, I tried to write this paper so that it could inform and guide anyone - even if you’re not using CrowdStrike (though I recommend it).

Offensive security is so critical to an organization of any maturity level above ‘rudimentary’. It helps solidify your understanding of what you’re doing well (and not so well). It helps raise new questions to get you out of the same mode of thinking. It helps highlight the return on investment. But the work doesn’t stop simply when selecting an exercise. To really get the most out of it, you need to do a few more things.

To cover some of the key elements of the whitepaper, organizations should consider:

Picking the Exercise:

  • What do we want to test? People, processes, technology? All of the above?
  • Do we want to find all the holes we can, or find things we’ve overlooked?
  • Realistically: How much are we willing to spend?

Planning the Exercise:

  • How can we provision access? VPN, witting click, VDI?
  • What account will we use? A brand new account, a decommissioned account?
  • What story are we telling? Copy access to replicate the story.
  • Are these IPs really ours? They change hands frequently, you know…

During the Exercise:

  • Stay in contact. Don’t ghost the test team just because you think “they’ve got it”. We often need to deconflict or ask clarifying questions.
  • Plan for the team being caught - how do you want to proceed if stealth was one of the objectives
  • Resist the urge to fix on the go. Chaining attacks together shows the full impact of issues. If you fix something immediately, we can’t do that.

After the Exercise:

  • Plan for a timely wrap-up. If you’re not careful, suddenly it’s 3 months later and no one remembers what happens, the logs are gone, and the urgency to fix the issues has probably gone with them.
  • Share as much as you can with as many people as you can. Finding these gaps does no good if you don’t get the information into the right peoples’ hands to fix them.
  • View it as opportunities, not issues. Yeah, someone specific may have screwed up. Maybe more than once. But we can all learn and grow - focus on the future.

As I talk about in my about page, it’s so important to know ourselves. As people. As teams. As companies. Offensive Security helps us do that from the security angle.